Not only were they risks to themselves, it was unnerving to note that those computer users were unknowing risks as online customers and as employees in both the public sector and business.

Customer data

Customer data was also lost as a result of ineffective online security. Citing a 55 percent increase in attacks on government agencies, telecommunication companies and utilities in August of 2006, IBM launched its Global Business Security Index.

The company reported its customers were attacked 100 million times a month and most attacks generally occurred on Saturdays and Sundays.

Stan Stahl

A widely known pioneer in security and the prevention of identity theft – a premier consultant, Stan Stahl, Ph.D., of Citadel Information Group – warned security was a big issue in 2004.

He is the expert on Federal Trade Commission rules under the Gramm Leach Bliley Act governing non-public personal information by financial institutions.

He is also president of the Los Angeles chapter of the Information Systems Security Association, a nonprofit, international organization of information security professionals and practitioners.

His philosophy for a successful online security program includes:

Protect information assets from attack.

Detect illicit attacks on information assets.

Quickly recover from attacks, accidents or natural disasters.

Comply with applicable security and privacy laws, regulations, and policies.

Management security checklist

To protect the assets of both your customers and your company, here is his basic self-assessment management checklist:

2. Do you have an executive responsible for managing the protection of critical information assets, is this person explicitly trained in information security, and have you allocated budget and resources for protection?

3. Does the board or executive management review the organization’s information security posture at least semi-annually?

5. Is all critical and sensitive information explicitly identified as such and restricted to those having a “need to know?”

6. Are all employees and contractors provided regular ongoing information security training, including training in the safe handling of email and in password selection and protection, and are they held accountable for violations of security policy?

7. Have you coordinated your information security posture with customers, suppliers, and other trading partners whose computer systems you access or who access your computer systems?

8. Does your organization have documented recovery procedures to follow should a break-in, malware infestation or other security event occur?

9. Does your organization back up all workstations and servers at least weekly, are multiple back-ups stored offsite, and are back-ups periodically tested to ensure the ability to restore data if necessary?

10. Has your organization’s system architecture been explicitly designed in accordance with network security principles and practices, including the use of firewalls?

11. Is malware protection software on all servers and workstations and is someone explicitly responsible for monitoring malware alerts and ensuring that malware protection is up-to-date?

12. Is someone explicitly responsible for monitoring security patches and alerts, and ensuring hardware and software systems are up-to-date and properly protected?

13. Is access to servers, routers, and other network technology physically restricted to those whose job responsibilities require access?

14. Would you know if someone was illegitimately accessing critical information assets?

15. Has your organization had an independent third-party information security vulnerability assessment or penetration test within the last 12 months?

So, if security is a possible concern, I would follow Dr. Stahl’s advice.

From the Coach’s Corner, phishing attacks are also possible in mobile services:

“Once again, the opportunity to make money trumps security, Dr. Stahl says. “I recommend that consumers ignore any and all attempts to induce them to use their phones for online banking.”

Why?

“It is not just phishing attacks to which they are vulnerable. We can take over cells running Bluetooth. Cell phones (like my iPhone) are often automatically configured to connect to the web using a wireless network over which neither the user nor the bank maintain any control. (I’ve changed this default setting on mine.) And because there have been few cell phone attacks to date, the community has little experience in how buggy the software products are and how responsive the vendors will be in fixing vulnerabilities when they show up.”

For the bottom-line, he advises: “All in all, cell phone online banking is a big NO!!!”

“We don’t seem to be able to check crime, so why not legalize it and then tax it out of business”

-Will Rogers

__________

Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.